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DETAILED ACTION 

1 . Claims 1-24 are pending in this office action. 

2. In view of the appeal brief filed on March 20, 2009, PROSECUTION IS HEREBY 
REOPENED. A new ground of rejection is set forth below. 

To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1 ) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply 
under 37 CFR 1.113 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 followed 
by an appeal brief under 37 CFR 41 .37. The previously paid notice of appeal fee and 
appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth 
in 37 CFR 41 .20 have been increased since they were previously paid, then appellant 
must pay the difference between the increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by 
signing below: 

/Gilberto Barron Jr./ 

Supervisory Patent Examiner, Art Unit 2432 

Claim Objections 

3. Claim 12 is objected to because of the following informalities: claim 12 is 
dependent on itself. Appropriate correction is required. 
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Claim Rejections - 35 USC § 101 

4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

5. Claims 1-22 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claims 1-19 are rejected under 35 U.S.C. 101 based on Supreme Court 
precedent and recent Federal Circuit decisions, a 35 U.S.C § 101 process must (1) be 
tied to a particular machine or (2) transform underlying subject matter (such as an 
article or materials) to a different state or thing. In re Bilski et al, 88 USPQ 2d 1385 
CAFC (2008); Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 U.S. 
584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 63, 70 (1972); Cochrane v. 
Deener, 94 U.S. 780,787-88 (1876). 

An example of a method claim that would not qualify as a statutory process 
would be a claim that recited purely mental steps. Thus, to qualify as a § 101 statutory 
process, the claim should positively recite the particular machine to which it is tied, for 
example by identifying the apparatus that accomplishes the method steps, or positively 
recite the subject matter that is being transformed, for example by identifying the 
material that is being changed to a different state. 

Here, applicant's method steps are not tied to a particular machine and do not 
perform a transformation. Thus, the claims are non-statutory. 
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The mere recitation of the machine in the preamble with an absence of a 
machine in the body of the claim fails to make the claim statutory under 35 USC 101 . 
Note the Board of Patent Appeals Informative Opinion Ex parte Langemyer et al. 

Claims 20-22 are rejected because a computer usable medium can be tangible 
and non-tangible. Examples can be found in paragraph 0011 of the specification. 

Claim Rejections 

6. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior office action. 

Claim Rejections - 35 USC § 102 

7. Claims 1 . 3. 4. 20. 23. and 24 are rejected under 35 U.S.C. 102(a/e) as being 
anticipated by Casco-Arias et al. (U.S. Patent Pub. No. 2004/0250141). 

Regarding claim 1 , Casco-Arias et al. teaches a method/computer system 
comprising: 

• Describing a plurality of password policies in a computer usable password policy 
data structure (fig. 1 , ref. num 132): 

• Accessing said computer usable password policy data structure by a password 
policy enforcement agent (fig. 1 , ref. num 1 10 and paragraph 0019); and 
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• Enforcing at least one of said plurality of password policies described within said 
password policy data structure by said password policy enforcement agent (fig. 
1, ref. num 130 and paragraph 0021). 

Regarding claim 20 , Casco-Arias et al. teaches instructions on a computer 
usable medium wherein the instructions when executed cause a computer system to 
perform a method of establishing a consistent password policy, said method comprising: 

• Describing a plurality of password policies in a computer usable password policy 
data structure (fig. 1, ref. nuum 132); 

• Providing an access point with access to said computer usable password policy 
data structure (fig. 1 , ref. num 1 10 and paragraph 0019); and 

• Receiving feedback from a password policy enforcement agent associated with 
said access point about which of said plurality of password policies have been 
successfully enforced (paragraph 0019-0020). 

Regarding claim 23 , Casco-Arias et al. teaches a computer system comprising: 

• A computer usable password policy data structure comprising a plurality of 
password policies (fig. 1, ref. num 132): 

• A server configured to proved access to said computer usable password policy 
data structure at an access point configured to enforce at least one of said 
plurality of password policies using a password policy enforcement agent (fig. 1 , 
ref. num 130 and paragraph 0021). 
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Regarding claim 3 , Casco-Arias et al. teaches wherein said password policy 
enforcement agent is operable on a client computer of a client-server computer system 
(paragraph 0023). 

Regarding claims 4 and 24 , Casco-Arias et al. teaches wherein said method is 
operable on a utility data center (fig. 2). 

Regarding claim 5 , Casco-Arias et al. teaches further comprising validating said 
computer usable password policy data structure for authenticity by said password policy 
enforcement agent (paragraph 0006). 

Claim Rejections - 35 USC § 103 

8. Claim 2, 19, and 21 is rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Casco-Arias et al. (U.S. Patent Pub. No. 2003/0065942) in view of Cole et al. (U.S. 
Patent Pub. No. 2002/0161707). 

Regarding claims 2 and 21 , Casco-Arias et al. teaches all the limitations of 
claims 1 and 20, above. However, Casco-Arias et al. does not teach wherein said 
computer usable password policy data structure comprises a file structure compatible 
with extensible markup language. 
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Cole et al. teaches wherein said computer usable password policy data structure 
comprises a file structure compatible with extensible markup language (paragraph 
0067). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine using XML for the password policy structure, as taught 
by Cole et al. , with the method of Casco-Arias et al. It would have been obvious for 
such modifications because XML is flexible and easy to read, both of which are 
important when creating and updating password policies. 

Regarding claim 19 , Casco-Arias et al. teaches all the limitations of claim 1 , 
above. However, Casco-Arias et al. does not teach further comprising providing, by 
said password policy enforcement agent, feedback to a configuration and aggregation 
point, about which of said plurality of password policies have been successfully 
enforced. 

Cole et al. teaches further comprising providing, by said password policy 
enforcement agent, feedback to a configuration and aggregation point, about which of 
said plurality of password policies have been successfully enforced (paragraph 0083). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine providing feedback for successful enforcement, as 
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taught by Cole et al. , with the method of Casco-Arias et al. It would have been obvious 
for such modifications because feedback informs the user/administrator that the policy 
being enforced is working. 

Claims 6-18 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Casco-Arias et al. (U.S. Patent Pub. No. 2003/0065942) in view of Password 
Policy of eRA (referred to as Password Policy hereinafter). 

Regarding claims 6-18 and 22 , Casco-Arias et al. teaches all the limitations of 
claims 1 and 20, above. However, Casco-Arias et al. does not teach specific policy 
types. 

Password Policy teaches comprising a computer access password policy 
parameter selected from the set of computer access password policy parameters 
comprising: a threshold parameter for unsuccessful access attempts that when 
exceeded disables a computer system access account; a parameter indicating the a 
time duration within which said threshold parameter number of unsuccessful access 
attempts triggers locking of a computer system access account; an initial delay 
parameter to block access to a computer system access account for a period of time 
after an unsuccessful access attempt; a minimum password length parameter; a 
maximum password length parameter; a parameter to prohibit passwords consisting of 
a natural language word; a parameter to prohibit passwords consisting of a palindrome; 
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a parameter to prohibit passwords consisting of a derivative of a computer system 
account name; a parameter to automatically generate a password; a parameter to 
automatically generate a pronounceable password consistent with all of said plurality of 
password policies; and a parameter to specify a set of characters utilizable to 
automatically generate a password (page 2-4, section 5.0 through 5.5). 

It would have been obvious to one of ordinary skill in the art, at the time the 
invention was made, to combine a plurality of different password policies, as taught by 
Password Policy , with the method/computer system of Casco-Arias et al. It would have 
been obvious for such modifications because the policies taught by Password Policy 
reduce the risk of unauthorized access to servers and databases (see page 1 , section 
1 .0 of Password Policy). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRANDON S. HOFFMAN whose telephone number is 
(571)272-3863. The examiner can normally be reached on M-F 8:30 - 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Brandon S Hoffman/ 

Primary Examiner, Art Unit 2436 



